If you have found a security issue in Symfony, please send the details to security [at] symfony.com and don't disclose it publicly until we can provide a fix for it.
Manage your notification preferences to receive an email as soon as a Symfony security release is published.

CVE-2019-11325: Fix escaping of strings in VarExporter

CVE-2019-11325 fixes an issue where some strings were not properly escaped while dumping, leading to possible remote code execution.

CVE-2019-18888: Prevent argument injection in a MimeTypeGuesser

CVE-2019-18888 fixes an issue where provided file paths to the MimeTypeGuesser were not properly escaped before being executed.

CVE-2019-18886: Prevent user enumeration using switch user functionality

CVE-2019-18886 fixes an issue where one could enumerate users using the switch user functionality as different behaviour would occur when a user existed compared to when a user did not

CVE-2019-18887: Use constant time comparison in UriSigner

CVE-2019-18887 fixes an issue where one could guess the signature of an URI using a remote timing attack.

CVE-2019-18889: Forbid serializing AbstractAdapter and TagAwareAdapter instances

CVE-2019-18889 fixes an issue where the destructor of TagAwareAdapter execute callables stored in properties, leading to possible remote code execution when an external payload is unserialized.

CVE-2019-10909: Escape validation messages in the PHP templating engine

CVE-2019-10909 fixes an issue where when using the form theme of the PHP templating engine validation messages were not correctly escaped.

CVE-2019-10913: Reject invalid HTTP method overrides

CVE-2019-10913 ensures that HTTP Methods are sanitized for use in unescaped contexts.

CVE-2019-10912: Prevent destructors with side-effects from being unserialized

CVE-2019-10912 fixes an issue where files could be deleted or raw output echoed when some classes were unserialized.

CVE-2019-10911: Add a separator in the remember me cookie hash

CVE-2019-10911 fixes an issue where there was not a clear differentiation between different parts of the content of a cookie allowing for potential to authenticate as a different user in particular situations

CVE-2019-10910: Check service IDs are valid

CVE-2019-10910 fixes an issue where crafted service IDs could be executed as code